Is Fileless Malware Really Fileless?

Reports of fileless malware infecting companies around the world have hit a new high, most recently attributed to a single group, FIN7. Besides residing in memory in order to remain nearly invisible, another aspect of fileless malware is the usage of widely deployed tools which systems administrators rely on, such as PowerShell. I wrote back in 2015 on how attackers could be living off the LAN by using similar techniques.

Why are attackers suddenly again leveraging fileless malware?

Fileless malware does not mean memory only malware. There is a migration towards fileless malware, simply because running exploits directly in memory has a lower detection rate for security tools than executing a malicious binary on an endpoint.

That being said, the point where attacks like this are detected easily is when they attempt to establish a persistence on the victim machine. Any persistence leaves behind evidence in predictable locations on disk. This is typically in the registry, system services, or scheduled tasks. Monitoring these areas can provide early indications of even the most advanced attacks.

Groups such as FIN7 operate like any other legitimate business. They are after return on investment for their criminal endeavors. When they see success in business opportunities such as fileless malware, they will continue to fund development in exploit techniques. It’s easy for an attacker to change the tools at their disposal, it is much harder for someone to change their tactics, techniques, and procedures.

While a migration to using fileless malware is a new development, the data they are after and the attack patterns they use will still be very similar. Adopting best practices and leveraging critical security controls will continue to be the best bet for defending against advanced adversaries, such as FIN7.

Since not every endpoint solution inspects memory directly, this makes memory an ideal place to hide. In addition, tools such as PowerShell are already deployed. These have multiple benefits for the attacker. Being able to live off the LAN reduces the noise in having to deploy malware to their victims.

Since every endpoint solution will monitor the file system, writing to disk can trip the tripwire where defenses are looking. Having malware only reside in memory will avoid that risk. These tools are also widely used, malicious usage can attempt to blend into the typical noise of the environment.

Because Windows is the primary focus of existing fileless malware, we’ll look at why fileless malware isn’t really fileless. With a narrow scope of defining malware as the actual code executing on the operating system, then fileless malware can indeed be fileless.

Even the best endpoint products can miss advanced malware running in memory, and few organizations are running memory analysis tools like Volatility.

Taking a step back from the narrow definition, the goal of the person behind the malware is to gather as much data against their target as possible. In order to do that, the malware needs to be able to recover from interruptions, and the way to do that is persist across reboots. In order to persist, something needs to be written to disk.

In looking at research conducted earlier this year, the fileless malware created a service in order to persist after a reboot. The two registry keys written to were:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PortProxy\v4tov4\tcp

The services section of the ControlSet hives are where system services live within the registry. This is how the malware will persist after a system reboot. The registry hive has CurrentControlSet, ControlSet001, and ControlSet002. According to this helpful Microsoft KB Article:

“ControlSet001 may be the last control set you booted with, while ControlSet002 could be what is known as the last known good control set, or the control set that last successfully booted Windows NT. The CurrentControlSet subkey is really a pointer to one of the ControlSetXXX keys.”

Registry hives are stored as a file on the operating system in the System32 directory. The SYSTEM hive referenced above is written to the %WINDIR%\System32\config\SYSTEM file on the operating system – definitive proof that fileless malware is in fact, not actually fileless.

Any malware that hopes to survive for an extended length of time ultimately needs to persist somewhere, and that will likely be found somewhere on disk.

It doesn’t matter how advanced your adversaries are, the simple defensive measures still matter. Adopting just the first five critical security controls will stop 85 percent of attacks. For the remaining 15 percent, monitor the endpoints for change to quickly identify malicious behavior.

About the author: Travis Smith is a Senior Security Research Engineer at Tripwire. He has over 10 years experience in security, holds an MBA with a concentration in information security, and multiple certifications including CISSP, GIAC and GPEN. Travis specializes in integrating various technologies and processes, with a passion for forensics and security analytics with the goal of helping customers identify and mitigate real threats.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.